Dear Bento4 developers, I used AFL++ to fuzz test Bento4 and found some problems.
To debug a program built with ASan, here is some output
=================================================================
==3304149==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000160 at pc 0x00000055f635 bp 0x7ffce575b390 sp 0x7ffce575b388
READ of size 1 at 0x602000000160 thread T0
#0 0x55f634 in AP4_BitReader::ReadCache() const /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4Utils.cpp:447:40
#1 0x55f634 in AP4_BitReader::ReadBits(unsigned int) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4Utils.cpp:467:40
#2 0x689547 in AP4_Dac4Atom::AP4_Dac4Atom(unsigned int, unsigned char const*) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4Dac4Atom.cpp:238:75
#3 0x68023a in AP4_Dac4Atom::Create(unsigned int, AP4_ByteStream&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4Dac4Atom.cpp:58:16
#4 0x5e0d23 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4AtomFactory.cpp:776:24
#5 0x5dbfaf in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4AtomFactory.cpp:234:14
#6 0x66f83f in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4ContainerAtom.cpp:194:12
#7 0x5282fe in AP4_AudioSampleEntry::AP4_AudioSampleEntry(unsigned int, unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4SampleEntry.cpp:420:5
#8 0x4eea5d in AP4_EncaSampleEntry::AP4_EncaSampleEntry(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4Protection.cpp:74:5
#9 0x5df5d5 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4AtomFactory.cpp:298:24
#10 0x5dbfaf in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4AtomFactory.cpp:234:14
#11 0x5424ae in AP4_StsdAtom::AP4_StsdAtom(unsigned int, unsigned char, unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4StsdAtom.cpp:101:13
#12 0x53f61b in AP4_StsdAtom::Create(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4StsdAtom.cpp:57:16
#13 0x5df866 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4AtomFactory.cpp:458:20
#14 0x5dbfaf in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4AtomFactory.cpp:234:14
#15 0x5dafb8 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, AP4_Atom*&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4AtomFactory.cpp:154:12
#16 0x4dac06 in AP4_File::ParseStream(AP4_ByteStream&, AP4_AtomFactory&, bool) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4File.cpp:104:12
#17 0x4db68f in AP4_File::AP4_File(AP4_ByteStream&, bool) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4File.cpp:78:5
#18 0x4c7733 in main /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Apps/Mp42Aac/Mp42Aac.cpp:250:22
#19 0x7f0af5948082 in __libc_start_main /build/glibc-wuryBv/glibc-2.31/csu/../csu/libc-start.c:308:16
#20 0x41c8ed in _start (/home/zt/cnvd/Bento4/Bento4-fuzzer/build/mp42aac+0x41c8ed)
0x602000000160 is located 0 bytes to the right of 16-byte region [0x602000000150,0x602000000160)
allocated by thread T0 here:
#0 0x4c48ad in operator new[](unsigned long) (/home/zt/cnvd/Bento4/Bento4-fuzzer/build/mp42aac+0x4c48ad)
#1 0x4d7ec3 in AP4_DataBuffer::ReallocateBuffer(unsigned int) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4DataBuffer.cpp:210:28
#2 0x4d7ec3 in AP4_DataBuffer::SetBufferSize(unsigned int) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4DataBuffer.cpp:136:16
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4Utils.cpp:447:40 in AP4_BitReader::ReadCache() const
Shadow bytes around the buggy address:
0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff8000: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
0x0c047fff8010: fa fa 04 fa fa fa fd fa fa fa 01 fa fa fa 00 fa
=>0x0c047fff8020: fa fa 00 07 fa fa 00 07 fa fa 00 00[fa]fa fa fa
0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==3304149==ABORTING
=================================================================
==72210==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6190000009a0 at pc 0x000000494530 bp 0x7fffba3cc440 sp 0x7fffba3cbc08
WRITE of size 4294967280 at 0x6190000009a0 thread T0
#0 0x49452f in __asan_memcpy (/home/zt/cnvd/Bento4/Bento4-fuzzer/build/mp42aac+0x49452f)
#1 0x4d2f73 in AP4_MemoryByteStream::WritePartial(void const*, unsigned int, unsigned int&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4ByteStream.cpp:785:5
#2 0x4ca625 in AP4_ByteStream::Write(void const*, unsigned int) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4ByteStream.cpp:77:29
#3 0x66a336 in AP4_CencSampleEncryption::DoWriteFields(AP4_ByteStream&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4CommonEncryption.cpp:3569:16
#4 0x5ae219 in AP4_Atom::Clone() /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4Atom.cpp:316:9
#5 0x509fd4 in AP4_SampleDescription::AP4_SampleDescription(AP4_SampleDescription::Type, unsigned int, AP4_AtomParent*) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4SampleDescription.cpp:138:41
#6 0x52a4d0 in AP4_GenericAudioSampleDescription::AP4_GenericAudioSampleDescription(unsigned int, unsigned int, unsigned short, unsigned short, AP4_AtomParent*) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4SampleDescription.h:258:9
#7 0x52a4d0 in AP4_AudioSampleEntry::ToSampleDescription() /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4SampleEntry.cpp:625:16
#8 0x547f18 in AP4_StsdAtom::GetSampleDescription(unsigned int) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4StsdAtom.cpp:181:53
#9 0x4c77b8 in main /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Apps/Mp42Aac/Mp42Aac.cpp:268:39
#10 0x7fe70ea9d082 in __libc_start_main /build/glibc-wuryBv/glibc-2.31/csu/../csu/libc-start.c:308:16
#11 0x41c8ed in _start (/home/zt/cnvd/Bento4/Bento4-fuzzer/build/mp42aac+0x41c8ed)
0x6190000009a0 is located 0 bytes to the right of 1056-byte region [0x619000000580,0x6190000009a0)
allocated by thread T0 here:
#0 0x4c48ad in operator new[](unsigned long) (/home/zt/cnvd/Bento4/Bento4-fuzzer/build/mp42aac+0x4c48ad)
#1 0x4d7b67 in AP4_DataBuffer::ReallocateBuffer(unsigned int) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4DataBuffer.cpp:210:28
#2 0x4d7b67 in AP4_DataBuffer::SetBufferSize(unsigned int) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4DataBuffer.cpp:136:16
#3 0x4d7b67 in AP4_DataBuffer::Reserve(unsigned int) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4DataBuffer.cpp:107:12
SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/zt/cnvd/Bento4/Bento4-fuzzer/build/mp42aac+0x49452f) in __asan_memcpy
Shadow bytes around the buggy address:
0x0c327fff80e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff80f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff8100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff8110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff8120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c327fff8130: 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff8140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff8150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff8160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff8170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff8180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==72210==ABORTING
Dear Bento4 developers, I used AFL++ to fuzz test Bento4 and found some problems. To debug a program built with ASan, here is some output
Crash input:
poc.zip poc1.zip
Validation steps
环境